Feel free to correct me if I am wrong, I believe at an Enterprise Level penetration testing and contracts are paid a flat rate? To some of the members who pen test in the corporate world, do these tests typically range from x to x depending on what needs to be done, or do various companies contract out penetration testers at a solid hourly rate?

I'm in a situation where I am partaking on a few freelancing websites and there's folks who want this type of work done and have never thought, 'If I had to charge an hourly rate to do this type of work, how much should I charge?'. I saw one contractors profile who has it rate set at $132 an hour, but he's located in the US. Of course I am sure it varies across the board depending on what country your located in. My main question basically is, how much do you think is a minimal hourly rate to set for this type of work? I'm sure based on your experience levels and years in the field it must vary, but if anyone could help, I'm all ears!

I'm not currently a pentester but I have read a lot about certains jobs and how much they cost. I would think 130 per hour is on the low end of the scale but I'm sure our experienced posters will have a much more accurate answer.

I will say what I think based on the current rates, in Ottawa, Canada.

1) Contract lengthThe longer the contract, the lower the rate. If you get a 5 day contract, you can ask $125. But for contracts longer than 15 days, it's hard to get more than $100. The reason is we leave in a federal government city where applying for a contract requires lots of red tape. And since don' don't win everytime, you need to get your investment back in a shorter time frame. This also leads to less competition since most companies won't spend 10 hours responding to a RFP for a 5-day contract they may not win... The short/long contract rate has nothing to do with knowledge, just red tape.

2) Knowledge requiredPentesting a custom application requires fuzzing and maybe writting your own 0-day requires more knowledge than running Nessus. I know, running Nessus is barely performing a VA and is not a pentest at all, but your competitors may bid a very low rate and just do that. The client gets screwed, but for some of them, they don't care as long as they can say they had an external company performing a pentest. I hate that, but that's a reality... So be careful to stay competitive. Pentests cost a lot and many clients think they bring little back to a project, especially if the security was already pretty good. We always have to fight the perception that security is expensive and brings nothing back...

3) Long term relationshipDo you want a one off or establish a long term relationship with your client? If you are relatively cheap and you do a good job, you have good chances to get other contracts with them. So unless you are so busy that you have to cancel offers all the time, you have to consider this.

4) Contractor or employee?To me, an employee would probably make $45/hour for a typical engagement while a consultant would average $100/hour. And really, at the end of the year with all benefits taken into account, it's about the same amount of money. When you're a consultant, you don't work all the time, you have to train yourself, bid on projects, you don't get benefits, need an insurance, etc. So big differences there.

5) Time of yearIn Ottawa, there is virtually no contracts between mid-July until mid-September because managers are on holidays. The best time of year is May-June when it's the beginning of the fiscal year for the federal government. So I would ask a lot less in August if I am out of work than I would in May. Check your region and find out how it works.

6) Are you that good?I consider myself not too bad, but I am not a superstar at all! If I were to compete against Sil for example, I know I would have to ask a lot less per hour because after an interview, I would stand a chance. He can probably go 5 times faster than me. So 5 days of his work may look more attractive to a client than 10 days of mine... You've got to take this into account. Also, if a pentest requires very special knowledge and you know you have the experience, you may get more than your previous engagement where you didn't know that much. It's tricky.

At the end of the day, if you are a consultant, what you really want is to build relationships with clients and work full time. If you are an employee, you want to learn as much as possible, get lots of experience and... become a consultant!

I could not agree more I think the points H1t M0nk3y makes are excellent. the points are pretty much the same here in the UK. Many companies get pen test done but don't really want them. A lot of time they are force to have them done by other companies they deal with and do everything they can to make your life hard work.

And you also do get companies that will go run nessus give the client a copy of the nessus report and say job done. what makes it hard for good companies to get business as they do not charge a lot and in the clients eyes they getting the same job done for a much cheaper price they don't understand the importance of getting the job done right.

H1t M0nk3y - Superior response and it makes complete sense. Comparing the rate with how much I was bidding for my services seems like I'm 'low balling' myself here. Definitely open to any other responses if any one has anything else to contribute - although you nailed it dead-on monkey.

I agree that (not) some companies , many or not aware of actual security testing of their website or network....Just as a formality they do it, They do it for auditing purpose and that's it, not sure whether is there any action taken based on the report....

I'm also interested in how people market pen testing. Naturally, you contact your existing customers asking whether they need a fresh test, or have contacts to whom they'll refer you, but for someone just hanging up their own shingle with no existing clients, where do you start?

I'm running a free test for a friend who is a business owner with hopes that he'll refer me to others, and that will get his repeat business once he sees the value a pentest offers. I can do this a few times for various groups, but I can't do it too often, or for to long.

For marketing them, I think it needs to be made clear to the client that a vulnerability assessment is NOT a penetration test. Will a vulnerability assessment satisify some compliance requirements? Probably. But will it prove that those vulnerabilities can be exploited? No it does not. The only way to do that is with a pen test. Why test? Why waste money on fixing something if it isn't truly broken? Why by some new software tool if the threat truly doesn't exist? Though a full pen test can be pricey, it could prevent unneccessary long term costs from purchasing some subscription to automatec scans or some piece of hardware you may not need.

Also it will prove that your standard areas of protection are not necessarily the only attack vector. Most vulnerability assessments typically include network scans and audits of the patching and AV systems. Good assessors will look at safe ways to test the scan results but not actually try to gain access. Most will not run any social engineering, which as we know, is one of the easiet methods to gain access to critical information.

Either test will result in the need to spend some money on improviing the security posture. But some fixes are just retweaking your current infrastructure while others may be some investments in upgrading old or legacy products.